Google Security Operations Integration Setup
This guide walks you through enabling the required API, creating a least-privilege custom role, and gathering the information required to connect your Google Security Operations instance as a SIEM with RAD Security. Google Security Operations (formerly Chronicle) provides cloud-native threat detection, investigation, and response at scale, with deep integration into the Google Cloud ecosystem.Prerequisites
Before you begin, ensure you have:- A Google Security Operations instance provisioned in a Google Cloud project
- Access to the Google Cloud Console with permissions to enable APIs, create custom IAM roles, and create service accounts
- Access to a RAD Security workspace with integration permissions
Understanding Integration Components
The Google Security Operations integration uses a Google Cloud service account authenticated with a JSON key:Custom IAM Role (Recommended)
Custom IAM Role (Recommended)
Service Account & JSON Key
Service Account & JSON Key
Step 1: Enable the Chronicle API
Sign in to Google Cloud Console
Open the API Library
Find the Chronicle API
Enable the API
Step 2: Gather your Security Operations values
Note your Project ID
Open Google SecOps
Open Instance Details
Copy Customer ID and Region
- Customer ID
- Region (typically
usoreu)
Step 3: Create a Limited Permissions Role
Open the IAM Roles editor
Configure role metadata
Add the required permissions
Create the role
Step 4: Create a Service Account
Create a new service account
Assign the role
- The custom role created in Step 3 (recommended), or
- The built-in Chronicle API Admin role
Create a service account key
Extract the credential values
- Client ID (
client_id) - Client Email (
client_email) - Private Key (
private_key)
Step 5: Configure in RAD Security
Navigate to your RAD Security workspace and configure the Google Security Operations integration with the following parameters:private_key string from your downloaded key file — not a typical OAuth client secret. Include the -----BEGIN PRIVATE KEY----- / -----END PRIVATE KEY----- delimiters and embedded newlines exactly as they appear in the file.https://us-chronicle.googleapis.com.Verify Integration
After completing the setup, verify your integration is working:Verify Query Capability
- Run a test query from RAD Security
- Verify Google Security Operations data appears correctly
- Check that results are properly formatted
Verify Data Ingestion
If you enabled event ingestion (chronicle.events.import):
- Trigger a test event in RAD Security
- Search for the event in Google Security Operations
- Verify the event appears with correct UDM formatting
What Data is Synced
Data Queried from Google Security Operations
Data Queried from Google Security Operations
- UDM events and search results
- Detections from legacy detection rules
- Available log types in your instance
- Historical security telemetry
Data Sent to Google Security Operations
Data Sent to Google Security Operations
- Runtime security events
- Container and cloud activity
- Policy violations
- Threat detections
- Incident data
- Custom security events
Use Cases
Unified Threat Intelligence
Cross-Platform Detection
Enhanced Investigation
Centralized SIEM
Troubleshooting
Permissions Not Available in Role Editor
Permissions Not Available in Role Editor
- Chronicle API not enabled on the project
- Wrong project selected in the console
- Confirm you are working in the correct Google Cloud project
- Re-enable the Chronicle API under APIs & Services → Library
- Wait a few minutes after enabling before reopening the role editor
Authentication Failed
Authentication Failed
- Client Email, Client ID, or Client Secret copied incorrectly
- Service account key was deleted or rotated
- Service account is missing the required role
- Newline characters stripped from the Client Secret (private key)
- Verify all three credential values come from the same key file
- Ensure the Client Secret includes the
-----BEGIN PRIVATE KEY-----and-----END PRIVATE KEY-----lines and embedded newlines - Confirm the service account still has the custom role or Chronicle API Admin assigned
- Generate a new service account key if needed
Permission Denied on Queries
Permission Denied on Queries
- Custom role missing one or more required permissions
- Service account assigned a different role
- Project ID mismatch
- Verify the custom role includes
chronicle.events.udmSearch,chronicle.logTypes.list,chronicle.legacies.legacySearchDetections, andchronicle.legacies.legacyGetDetection - Confirm the Project ID configured in RAD Security matches the project where the service account lives
- Re-bind the role to the service account if it was removed
Event Ingestion Failing
Event Ingestion Failing
chronicle.events.importpermission missing- Region mismatch
- Customer ID incorrect
- Add
chronicle.events.importto the custom role - Verify the Region (
us,eu, etc.) matches your Security Operations instance - Re-check the Customer ID from Instance Details
Regional Endpoint Issues
Regional Endpoint Issues
- Wrong Region value supplied
- Custom URL pointing to the wrong region
- Confirm the Region from the Instance Details page in Google SecOps
- Leave the URL field blank unless you have a specific reason to override it
- If overriding, supply the root URL only — for example
https://us-chronicle.googleapis.com